The West's Cyber Wars
by Alex Mitchell
On March 7th the electricity system in Venezuela experienced its worst-ever blackout as a result of an American cyber attack. Mainstream media devoted little coverage to the event, and the sparse attention extended to this new dimension in covert warfare was weakened by highly partial reporting.
In late 2018, Conservative foreign secretary Jeremy Hunt condemned Moscow’s “reckless and indiscriminate” cyber attacks, which tried “to undermine and interfere in elections in other countries” and flouted international law. A statement issued by the UK’s secretive Government Communication Headquarters (GCHQ) accused Russian’s military intelligence of hacking the US Democratic National Committee (DNC) in 2016, and the World Anti-doping Agency in 2017. Maria Zakharova, the Russian foreign ministry spokeswoman, described the British allegations as “fantasy” (1).
On the same day, 4 October 2018, in a clearly coordinated press statement, the Dutch defence ministry revealed that its government had expelled four Russian diplomats six months earlier for an attempted intrusion into the computer network of the Organization for the Prevention of Chemical Weapons (OPCW), which is located in The Hague. The diplomats had been apprehended in a hotel near the OPCW, around the time the UN agency had been analysing the nerve agent discovered in Salisbury, which Britain alleges was manufactured in Shikhany, a formerly closed city on the Volga river in central Russia. They were said to be officers of Russian military intelligence (2).
Cyber attacks have taken on a distinctly geo-political hue in the last few years. Electronic communication emerged in the 1970s driven by American and Soviet efforts to build nuclear bomb-proof telecommunication networks. Cyber espionage soon followed, with claims that the US Advanced Research Projects Agency, which developed a precursor to the Internet, had been hacked by the USSR. By the mid-1990s hackers were on-line in ever larger numbers, government agencies included (3). Anonymous, the loose network of anarchist hacktivists, emerged in 2004 adopting the tag line: We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us! (4). Hacking became more political in support of the Occupy Movement in 2010/2011 and the release of American diplomatic cables by WikiLeaks.
The threat from Anonymous probably galvanised the authorities into trying to track down those involved. As is well known, in order for the police to infiltrate a subversive group, the agent must encourage and participate in illegal activities. To avoid later exposure, the agent provocateur must also be arrested and punished when the group is rounded up. Entrapment techniques have been used to track child pornography rings operating over the Internet, for example. It is not clear exactly when GCHQ started pro-active interventions in cyber space, either against hacktivists or other governments, but it is certain that the agency has now been engaged in this for some years. GCHQ appears to have also been tasked with assisting social media users to organise against the governments of Iran, Tunisia, Libya and Egypt.
Whistle blower Edward Snowden, who released information from the US National Security Agency (NSA) in 2013, revealed the extent of government Internet snooping by the ‘Five Eyes’ governments: Australia, Canada, New Zealand, UK and USA (5). Documents obtained from Snowden by broadcaster NBC showed that Britain’s GCHQ was undertaking operations “traditionally associated with MI6”, according to The Independent newspaper. These included Deny/Disrupt/Degrade/Deceive activities targeted at advanced persistent threats, in other words, foreign governments, as well as domestic threats, like the hackers from Anonymous. In particular, GCHQ, according to NBC, had been involved in disrupting Iran’s uranium enrichment programme in 2010 (6).
IF YOU GO DOWN TO THE WOODS TODAY
The DNC hacking is perhaps the best known allegation of state-directed cyber intrusion (see The Socialist Correspondent 30, Spring 2018). But other cases have been cited by cyber security specialists. Attributing responsibility for a hack is never easy since the hackers usually wish to avoid being traced. Cyber security experts look for similarities in the hackers’ modus operandi (MO). When the DNC intrusion was detected, the Democratic Party called on the services of CrowdStrike to disinfect their network. All staff were told to leave their laptops at work over the weekend. CrowdStrike discovered two sets of hackers had got into the network, whom they dubbed Cozy Bear and Fancy Bear (7). The nicknames stuck and soon Fancy Bear was revealed to have been active on the Internet for several years.
According to cyber security consultants ThreatConnect, Fancy Bear had attempted to discredit the results of Ukraine’s presidential election in 2014 through an attack on the Ukrainian Central Election Commission. Responsibility for the attack was claimed by CyberBerkut, supposedly a group of former Ukrainian police officers who had been dismissed as a result of their role in trying to clear the Maidan protesters in Kiev. Fancy Bear, alias CyberBerkut, is alleged to have attacked the Bellingcat website run by Eliot Higgins, which later revealed the identity of the Russian special forces officers accused of the assassination attempt in Salisbury. Higgins is himself accused of links to British intelligence. He set up his website to coordinate social media posts coming out of Libya in 2011 (8).
To avoid being tracked down, ThreatConnect allege, Russian military intelligence set up part of its operation at a Romanian web hosting service that supplies Bitcoin. Paying in Bitcoin allowed hackers to buy Internet services anywhere in the world without fear of being traced through a normal financial paper trail. (9) In order to load their Bitcoin wallet, the hackers used malware to hold companies’ networks to ransom, along the lines of the WannaCry attack in 2017. Cyber security consultants call government hackers ‘advanced persistent threats’ because their MO uses sophisticated malware that is not generally available to hackers from civil society. The WannaCry malware is thought to have been stolen from the NSA.
Responsibility for the DNC hack was claimed by DCLeaks, a self-proclaimed “American hacktivist group”. DCLeaks posted emails to and from Hillary Clinton on its website but these proved to be hard to search. So ‘Stephan Orphan’, who posed as the person responsible and went under the moniker of Guccifer 2.0, and based supposedly in Romania and France, gave the data to WikiLeaks to unscramble and post in a format that journalists could analyse. ThreatConnect alleges that DCLeaks, Guccifer 2.0 and Fancy Bear are all parts of Russian military intelligence.
In May 2011, a group of hacktivists who called themselves Lulz Security claimed responsibility for hacking the Fox Broadcasting Company to steal the details of 73,000 US X Factor contestants. They then stole personal data from the American Public Broadcasting Service and Sony Pictures. They also hacked into the US Senate and took the CIA website offline for several hours. Then, after 50 days of mayhem, they stopped.
A number of things are unusual about Lulz Security. The group set out to expose lax cyber security at major American companies and government organisations, then revealed the techniques they had used so that the security breaches could be fixed. A BBC report stated that “many security specialists say privately that they are happy LulzSec is running amok online, highlighting the need for a renewed focus on data protection.” (10) The public spiritedness of the group’s activities raises questions as to whether they really were just a bunch of anarchists having fun at the expense of big corporations. Furthermore, ThreatConnect says that Lulz Security, “conducted operations to help people communicate outside of Iran during the attempted Green Revolution in 2009 and access the Internet in countries involved in the Arab Spring protests” in 2011. (11)
Later court testimony shows that Lulz Security comprised several British and Irish nationals, and one American. The apparent leader was Ryan Ackroyd (moniker Kayla), a former British Army Iraq War veteran and electronic warfare specialist, who recruited a couple of teenager hackers from Shetland and London to join the enterprise. Unfortunately he also linked up with one Hector Monsegur (aka Sabu), a Puerto Rican living in New York who was an FBI informer. All were arrested but received unusually light sentences. All except Ackroyd pleaded guilty and were given suspended sentences. Ackroyd, from South Yorkshire, used a ‘trip wire’ programme to erase his computer history at the point he was arrested. He pleaded not guilty so that he did not have to reveal anything to the court. He was sentenced to 30 months, rather than the maximum penalty of 24 years, and is now an associate lecturer at Sheffield Hallam University, while Monsegur works for a cyber security consultancy based in Seattle. (12)
In February 2019, the UK Government’s own Investigatory Powers Commissioner reported that GCHQ had infiltrated foreign computers and networks, to conduct operations that would have been illegal had they been undertaken in the United Kingdom. It is the first time such an admission has been made, although no details were provided as to which countries GCHQ was targeting. (13)
MANIPULATING POPULAR UNREST
Smart cell phones have enabled people to organise protests and act as citizen reporters, by uploading pictures, videos and blogs to the Internet. Political parties campaign legitimately through social media to influence public opinion, but so can covert actors from outside the country seeking to destabilise ‘the regime’.
A people power “colour revolution” was anticipated in Iran following the 2009 presidential elections. In the event, police and militia were able to disperse the protesters rapidly. The Iranian government accused the UK of meddling in their internal affairs. Ayatollah Ali Khamenei called Britain a treacherous “Little Satan”. Foreign secretary David Miliband described the allegations as “wholly without foundation” (14). No doubt the British authorities learnt lessons from this episode and were able to work more effectively with protesters during the Arab Uprising in North Africa and, more recently, in Syria, to facilitate news gathering from non-government sources in conflict zones and spread propaganda. (On the Arab Uprising and Iranian protests, see The Socialist Correspondent, 11, Spring 2011, and 30, Spring 2018.)
It is likely that the UK has been a major player in attempts to destabilise other governments in the pursuit of regime change, employing apparently independent civil society groups to ensure deniability. Some of these attempts may even have been directed against the Russian state, and it is therefore hardly surprising that the ‘push back’ we warned of a decade ago has now occurred (The Socialist Correspondent, 3, Autumn 2008, p. 18). Over this period, there has been an expansion of foreign language TV news by broadcasters from China, Iran, Russia and Saudi Arabia in order to compete with the BBC and CNN, to the alarm of some in the West who claim that only their story is the truth (15). Cyber space opened up further possibilities for countries feeling threatened by the USA and its close allies. Cyber security consultants working for the UK government hint that the most active advanced persistent threats to public and private computer networks in the NATO countries originate from China, Iran, North Korea, Russia and Saudi Arabia. As already mentioned, some of these countries are also alleged to be behind social media campaigns that have copied the tactics used by Western promoters of the colour revolutions.
Cyber space has become one of the battlegrounds between the old imperial powers. Indeed, cyber space is viewed by the ‘Five Eyes’ security establishment as a theatre of operations to gain influence and intelligence, and to establish positions ‘behind the lines’, that will advance their strategic and class interests. And Venezuela is only the latest to feel the heat.
(1) Russia GRU claims: UK points finger at Kremlin’s military intelligence, BBC News, 4 October 2018.
(2) Russia’s GRU ‘targeted chemical weapons watchdog OPCW’, BBC News, 4 October 2018; Pippa Crerar, Jon Henley and Patrick Wintour, Russia accused of cyber-attack on chemical weapons watchdog, The Guardian, 5 October 2018.
(3) Angus J Kennedy, 1999, The Rough Guide to the Internet, London: Penguin: pp. 443-445 and 453-454.
(4) See Wikipedia https://en.wikipedia.org/wiki/Anonymous_(group)
(5) The Five Eyes operate their own classified wide area network, a parallel Internet, and reportedly have intelligence sharing agreements with several other countries, including Israel.
(6) Snowden leaks: GCHQ ‘attacked Anonymous’ hackers, BBC News, 5 February 2014; Cahal Milmo, Edward Snowden revelations: GCHQ ‘using online viruses and honey traps’ to discredit targets, The Independent, 9 February 2014.
(7) Vicky Ward, The Russian expat leading the fight to protect America, Esquire, 24 October 2016.
(8) ThreatConnect, What is a faketivist? https://threatconnect/blog/faketivist-vs-hacktivist-how -they-differ/ Jamie Doward, How a college tech drop out became the champion of new investigative journalism, The Observer, 30 September 2018.
(9) ThreatConnect, What is a Name Server? 7 July 2016 at https://threatconnect/blog/whats-in-a-name-server/
(10) Ian Mackenzie, Who loves the hacktivists? BBC News, 22 June 2011.
(11) ThreatConnect, What is a faketivist? https://threatconnect/blog/faketivist-vs-hacktivist-how -they-differ
(12) Information from Wikipedia pages for Anonymous group, LulzSec, Hector Monsegur, Mustafa Al-Bassam, Topiary (hacktivist) and Ryan Ackroyd.
(13) David Bond, Foreign Office rapped for oversight of top secret spy missions, Financial Times, 2 February 2019.
(14) Robin Oakley, Why is Iran so upset with Britain?, CNN, 23 June 2009; Damian McElroy and Ahmed Vahdat, London-based activists ‘coordinating’ Iranian protest movement, The Daily Telegraph, 31 July 2009.
(15) CCTV is owned by the Chinese government, Press TV is a subsidiary of the Iranian national broadcaster, and RT is part of Sputnik, a Russian government funded news agency (formerly Novosti). Al Arabiya is broadcast from Dubai but is owned by MBC Group, based in Saudi Arabia and owned by member of the Saudi royal family.